samba - Jun 2021 - SID history secondary group set bloat

On 10/06/2021 08:59, Ralph Boehme wrote:
> Am 10.06.21 um 09:55 schrieb Rowland penny via samba:
>> Where he is getting multiple RIDs for the same group from.
>
> look at the Windows tokens he posted. He gets multiple UNIX ids 
> because he has multiple SIDs for the same name which is result of the 
> SID History Windows feature.
>
> Samba just mapps all those SIDs to UNIX ids.
>
> -slow
>
The more I learn about Active Directory, the less I know about it, looks 
like I need to read up on SID history ?

Rowland

On 10/06/2021 09:05, Rowland penny via samba wrote:
> On 10/06/2021 08:59, Ralph Boehme wrote:
>> Am 10.06.21 um 09:55 schrieb Rowland penny via samba:
>>> Where he is getting multiple RIDs for the same group from.
>>
>> look at the Windows tokens he posted. He gets multiple UNIX ids 
>> because he has multiple SIDs for the same name which is result of the 
>> SID History Windows feature.
>>
>> Samba just mapps all those SIDs to UNIX ids.
>>
>> -slow
>>
>
> The more I learn about Active Directory, the less I know about it, 
> looks like I need to read up on SID history ?
>
> Rowland
>
>
>
OK Ralph, from a brief bout of reading, it seems if you move an object 
from one domain to another, it gets a new SID and the old SID is stored 
in an attribute called 'sIDHistory'.

I think there are a couple of ways to sort this out, make windbind 
ignore the 'sIDHistory' attribute, or just remove all those attributes 
from AD.

Rowland